kerberos-user-identity

Use the kerberos-user-identity stanza entry to enable and define a custom user principal name (UPN). The custom UPN can be constructed from either plain text or the contents of credential attributes.

kerberos-user-identity = username@domain
kerberos-user-identity = username
kerberos-user-identity = @domain
kerberos-user-identity = fqdn

Description

An administrator can overwrite the UPN or sections of the UPN for Kerberos constrained delegation users with this entry. The replacement information can be either plain text or names of credential attributes that store the required information. If we specify plain text, the text is directly copied into the UPN sections. If we specify names of credential attributes, the replacement text is fetched from the value of the corresponding credential attribute.

The domain information can also be extracted from the DC elements of the user's DN through the attribute attr:dn.

If no user name is defined, the client credential name is used.

If no domain is defined, the WebSEAL service account domain is used.

The domain value must be uppercase. Any input data that is not uppercase is automatically converted to uppercase. The domain must also be added as a realm to the Kerberos configuration.

Options

Usage: Optional It can be customized for a particular junction in the [junction: junction_name] stanza.

Default value None

Example:

kerberos-user-identity = bob@IBM.COM
kerberos-user-identity = attr:SamAccountName@IBM.COM
kerberos-user-identity = @attr:dn
kerberos-user-identity = attr:FQDN

Parent topic: [junction] stanza